Snort mailing list archives
RE: MS Terminal Server Requests
From: "Knight, Ric" <RKnight () TUC ca>
Date: Fri, 20 Dec 2002 13:58:23 -0500
Ian, I think the point of the rule is to notify that the access occurred from somewhere externally to somewhere in your home network. If both the client and the server are defined as part of your $HOME_NET you shouldn't get the alerts. As to the author... beats me... Cheers -Ric -----Original Message----- From: Parker, Ian [mailto:parker.ian () syncrude com] Sent: December 20, 2002 1:28 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] MS Terminal Server Requests I was wondering who created the experimental Snort rule for detecting malformed RDP packets in an MS terminal server request, SID 1447, and how they came up with that particular payload. The reason I'm curious is that every RDP packet to my terminal servers has this payload, so the rule gets triggered all the time. Ian Parker, GCWN Senior Systems Analyst Upgrading Plant Computing Syncrude Canada Ltd (780)790-4631 parker.ian () syncrude com ------------------------------------------------------- This SF.NET email is sponsored by: The Best Geek Holiday Gifts! Time is running out! Thinkgeek.com has the coolest gifts for your favorite geek. Let your fingers do the typing. Visit Now. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: The Best Geek Holiday Gifts! Time is running out! Thinkgeek.com has the coolest gifts for your favorite geek. Let your fingers do the typing. Visit Now. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS Terminal Server Requests Parker, Ian (Dec 20)
- <Possible follow-ups>
- RE: MS Terminal Server Requests Knight, Ric (Dec 20)
- RE: MS Terminal Server Requests Hicks, John (Dec 20)